Sovereign nation states have been behind (or suspected of being behind) some of the worst cyberattacks. When a cyberattack has state involvement, the inevitable question is whether it constitutes an act of war. The answer can have a profound impact on insurance coverage because virtually every insurance policy has a war exclusion. In a case of first impression, a New Jersey trial court recently addressed whether a war exclusion applied to losses arising from the NotPetya cyberattack in 2017.[1]
The United States and several other countries contended that Russia was responsible for launching the NotPetya attack to destabilize Ukraine. NotPetya quickly spread beyond its intended targets in Ukraine, causing collateral damage to millions of computers worldwide. Among the many impacted organizations was the pharmaceutical company, Merck & Co. Inc., which suffered damage to 40,000 of its computers, costing it more than $1.4 billion.
Continue reading “The War Exclusion and State-Sponsored Cyberattacks: The Battle Is Won but Is the War Over?”
The “WannaCry” and “NotPetya” computer viruses that infected computer systems around the world in 2017 sounded a wakeup call. They demonstrated the power of a cyber event to disrupt the core operations of numerous companies and other organizations. Now some fear that another unpleasant surprise related to the 2017 virus attacks may be on the horizon—this time from the insurance industry. A recent lawsuit alleges that an insurer denied coverage for losses arising out of the “NotPetya” virus based on an exclusion for “hostile and warlike actions.” A version of this war exclusion appears in virtually all insurance policies, including cyberinsurance policies, which are supposed to address cyber events like “WannaCry” and “Not Petya.”